To enable direct login to Piwik from my Virtualmin Piwik plugin, I am posting pre-set username-password combinations to Piwik through a frame. Cookies are be preserved (client-side) by pre-loading Piwik in a hidden iframe. However, it gets stuck with nonce validation inside the Login module where the nonce is checked against a form variable.
This works perfectly when nonce verification is bypassed.
- if(Piwik_Nonce::verifyNonce('Piwik_Login.login', $nonce)) + if(true || Piwik_Nonce::verifyNonce('Piwik_Login.login', $nonce))
I have seen and worked around similar security checks in phpMyAdmin. But there's one noticible difference between Piwik and phpMyAdmin. Unlike Piwik, phpMyAdmin checks for the token in a cookie variable.
Nobody would want nonce check removed including me. However, it would be great if Piwik supports third-party/framed logins without any patches or implementation of just another full-featured login module. Ideally, I am thinking about two possible ways around this:
+ UsersManager.getAuthNonce (userLogin, clientUserAgent)
- $nonce = $form->getSubmitValue('form_nonce'); + $nonce = $_COOKIE['auth_nonce'];
I would also like draw your attention to the issues users had recently with double requests from browsers/add-ons (see ). Rellocating nonce to a short-lived cookie would most probably make a permanent solution to such future issues as well.
I am asking for this help here because the plugin I am working on is going to be released for public. Hence, I would prefer an official way to authenticate rather than patching or making complex additions to Piwik source.
Use the Login module's logme() method.
Wow, its already implemented. Thanks!